How does the SEC’s recent settlement with R.R. Donnelly & Sons Company impact internal controls for cybersecurity incidents?
In this episode of Corruption, Crime, and Compliance, Michael Volkov discusses a significant decision by the SEC involving a $2.1 million settlement with RR Donnelly & Sons Company (RRD) related to a 2021 ransomware attack.
The SEC’s decision marks the first time it has applied its internal controls enforcement authority to cover cybersecurity policies and procedures, representing a substantial expansion of its enforcement reach.
The SEC criticized RRD for failing to prioritize the review of security alerts and implement an effective workflow for escalating such reports. This oversight led to delayed detection and response to the cyber attack, during which hackers exfiltrated 70 gigabytes of data, including personal and financial information tied to 29 clients.
You’ll hear him talk about:
- The importance of robust internal controls to ensure prompt investigation and escalation of potential cybersecurity incidents.
- The need for companies to allocate sufficient resources and personnel to monitor and respond to third-party security alerts.
- The SEC’s critique of RRD’s internal incident response policies, particularly the lack of clear lines of responsibility and efficient workflows.
- The dissenting opinions within the SEC regarding the broad application of internal controls to cybersecurity, highlight the need for specific guidance on reasonable cybersecurity controls.
Resources:
